- AccessChk: View effective permissions on files and folders - Thu, Apr 13 2023
- Read NTFS permissions: View read, write, and deny access information with AccessEnum - Wed, Mar 29 2023
- Kill Windows a process with Tskill and Taskkill - Mon, Mar 13 2023
The best practice for updating anything—whether it's a Windows system or a line-of-business application—is to perform the update in a test or pre-production environment first. After an evaluation period, in which you should confirm everything works well, you can apply the update to a production environment.
This is especially important on servers. On clients, it is more common to give a small group of users the updates first and raise a support request if anything does not work as expected. The whole process can be quite cumbersome and time consuming, especially in larger environments. Many third-party products are available to deploy Windows updates, but most of them usually require separate servers deployed and configured.
WuInstall is a simple command-line tool you can use right away to deploy patches in minutes. In this review, I will demonstrate how easy it is to work with the tool.
The only thing you need to do is to download WuInstall from their website and extract WuInstall.exe from the zip archive. Yes, it's that simple.
WuInstall is a command-line tool only. If you execute it without any parameters or start it via double-click, you will get a simple UI with a few buttons that lead to online sources. The Usage button opens up a graphical version of help with all parameters explained.
Note: There is also a WuInstallAMD64.exe available, but WuInstall.exe worked just fine on Windows Server 2019. Throughout this post, I will use WuInstall.exe.
Working with WuInstall
The tool has several basic options and dozens of advanced parameters. Use WuInstall.exe /help to get a list of parameters and brief descriptions. You can also refer to the PDF document found in the downloaded zip archive for even more detailed information.
To use WuInstall, you always need to specify a single basic option followed by optional advanced parameters. For example:
WuInstall.exe /download_to "D:\WuInstall" /logfile "D:\myLog.txt"
This will scan the computer for missing updates, download them to the Windows Update cache folder (C:\Windows\SoftwareDistribution\Download by default), copy them to D:\WuInstall, and create an additional log file. The log is a simple text transcript of messages with timestamps shown from the command prompt.
Note: When using WuInstall interactively on a local computer, always run it from a command line with elevated permissions.
Windows Update vs. WSUS
WuInstall is written in C++ and uses native Windows Update application programming interfaces (APIs). Therefore, if the target system is configured to download updates from a Windows Server Update Services (WSUS) server, WuInstall will search and download from a WSUS server by default. If there's no WSUS server configured, it will use the standard Windows Update server. You can change this behavior via the optional parameter /UseUpdateService with the options MicrosoftUpdate, WindowsUpdate, WSUS, or Default. For example:
WuInstall.exe /download /UseUpdateService MicrosoftUpdate
This will search and download all patches available for the target system on the Microsoft Update services server.
Note: Windows Update only offers updates for the Windows operating system itself, while Microsoft Update also covers other products like Office.
Saving bandwidth usage with cache options
Another cool WuInstall feature is the possibility to create an update cache from any network share available. This might be especially handy for branch offices with slower WAN connections where downloading updates from multiple computers might take a long time or cause issues with other services. You can create the cache and download updates without applying them first via the following command:
WuInstall.exe /download_cache \\share\cache
Or you can create the cache and install the patches right away:
WuInstall.exe /install_cache \\share\cache /nocachedel /autoaccepteula /silent /reboot_if_needed /rebootcycle 3
Now when you run the command on any other computer, it will first check whether the patch is available in the cache folder before trying to download it from the internet.
I was surprised how easy it is to search, download, and install updates with a single command:
WuInstall.exe /install /autoaccepteula /silent /reboot_if_needed /rebootcycle 3
The /reboot_if_needed parameter is needed because by default, WuInstall will not restart the computer. In some cases, one reboot is not enough to apply all patches. You can solve this by adding the /rebootcycle parameter, which will start another round of updates after the reboot.
Updating remote computers
So far, I have worked with WuInstall interactively. But its main benefit is the ability to update remote computers. There are several options to achieve this. The first is the built-in option /remote, which uses the PAExec tool (similar to PSExec). To update remote computers, use the following command:
WuInstall.exe /install /remote "\\mgmt,dc -u lab\administrator -p Passw0rd" /autoaccepteula /silent /reboot_if_needed /rebootcycle 3
Another option is to create a text file with one computer name per line and let the command read the file:
WuInstall.exe /install /remote "@computers.txt -u lab\administrator -p Passw0rd" /autoaccepteula /silent /reboot_if_needed /rebootcycle 3
What will actually happen is that PAExec will copy WuInstall.exe to the remote computer ADMIN$ share and call it from there.
Another possibility is to use PSExec from Sysinternals. For this, you should have WuInstall.exe available on a network share accessible by the remote computer. In this example, I will run the updates from a cache folder:
psexec.exe \\mgmt -u lab\administrator -p Passw0rd -c -s \\share\wuInstall.exe /install_cache \\share\cache /autoaccepteula /silent /reboot_if_needed /rebootcycle 3
If you run this command on multiple computers, add the -d parameter to PSExec.exe so it does not wait for each computer to finish.
However, both methods require you to enter the password in some way; otherwise, the command would fail. In the first case of PAExec (WuInstall.exe /remote), it would fail right away with an access denied error. In the second case with PSExec, this would fail on the access denied to the remote share.
A simple way of applying updates to remote computers without specifying the username and password is to copy WuInstall.exe to the remote computers (in my case C:\temp) in advance and then run the following command:
psexec.exe \\mgmt -s C:\temp\WuInstall.exe /install /autoaccepteula /silent /reboot_if_needed /rebootcycle 3
Unfortunately, it is not possible to use the cache folder here because accessing a remote share without credentials would fail with an access denied error.
As you may correctly assume, you have to run this command (or script) under a user account that has administrative privileges on the target computers. Also remember that both options require Server Message Block (SMB) ports 137 and 445 open on the target computers.
As you have seen, using WuInstall to manage Windows updates is a fast, straightforward process. It only takes a few minutes to get the tool and start updating. There are many advanced options available that I was unable to cover in this review. To get more information about specific options and pricing, visit the WuInstall website.